Android spyware campaign spreads across the Middle East

The malware is designed to pillage mobile device data.
Written by Charlie Osborne, Contributing Writer

A new campaign has been spotted making its way across the Middle East in an effort to steal device and communications data belonging to Android users. 

According to new research published by Kaspersky on Wednesday, the campaign -- dubbed ViceLeaker -- has been active since May 2018. 

"Dozens" of Android devices belonging to Israeli citizens were targeted in the earliest recorded attack outbreaks and analysis of an APK involved revealed a spyware program "designed to exfiltrate almost all accessible information," the researchers say. 

The main infection vector appears to be through the Telegram and WhatsApp messenger apps. Victims are sent links to Trojanized apps, with one such sample being a fake application named "Sex Game For Adults."

The mobile malware also aims to inject legitimate mobile applications with a backdoor for persistent access once it has compromised an Android device. 

The threat actors behind the malware make use of a form of injection technique called Smali, together with the Baksmali tool, to rip apart the original app's code, add their own malicious tweaks, and recompile it. 

See also: UK ransomware firm 'helps' victims by paying off hackers, tacking on massive fee

The malicious ViceLeaker APK contained a variety of very common spyware features including the exfiltration of SMS messages, call logs, and device information such as phone model, the operating system in use, and a list of all installed applications. 

However, Kaspersky says that ViceLeaker differs somewhat in a number of respects given its backdoor functionality, the ability to take over the device's camera, to record audio, and to both steal and delete files stored on the mobile device. 

CNET: Google and University of Chicago sued over patient records

Kaspersky also found a sample of a modified version of the open-source Jabber/XMPP called "Conversations" which appears to belong to the ViceLeaker group. While the legitimate program is available on Google Play, the modified version sends the C2 geographical coordinates whenever a message was sent via the app. 

The modified Conversations app was also disguised to appear as Telegram Messenger on mobile devices. However, it appears that the app in question may not be a threat to your average user. 

"Even when we originally thought this was a backdoored version of the Conversations app, used to infect victims, we didn't discover anything malicious in it," the researchers say. "This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other, unclear purposes." 

TechRepublic: Distributed denial of service (DDoS) attacks: A cheat sheet

ViceLeaker uses HTTP to communicate with its command-and-control (C2) server and to transfer exfiltrated data. While exploring the attacker's C2 footprint, the researchers found an email address linked to a GitHub repository containing the modified Conversations app code. 

"The operation of ViceLeaker is still ongoing, as is our research," Kaspersky says. "The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner."

Bitdefender, too, has previously published research on the Android spyware. The cybersecurity firm chose the name Triout for the malicious code and says that the first sample was uploaded from Russia to VirusTotal in May 2018. 

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards